Sunday, October 30, 2011

Working with Web Vulnerabilities and Web Application Firewalls [Part 3 - An Insecure Environment]

[Note: this is part three of a multi-part series of posts detailing my experiences with securing web applications, creating test environments for practicing and installing and operating a web application firewall. Web security is an extremely important part of IT security since almost every major organization has a "web face." I will be exploring XSS, mySQL injection, and the use of web application firewalls to protect against these attacks.]

Now that we have a basic database of information that we can use later on, we need a way of practicing our exploitation techniques (and eventually our protection techniques) on a web application. Luckily, there is a solution called "Damn Vulnerable Web App." DVWA is a PHP/mySQL environment that is designed with test pages and configuration that can make it purposefully vulnerable to a number of attack vectors. We will be installing it in order to eventually protect against the attacks, but also to attack (and learn).

Downloading DVWA
DVWA can be downloaded at the projects home page: From the Fedora machine, download and extract the ZIP file from the download page. Next, the files need to be moved into the web directory. (If you don't have an Apache/PHP/mySQL server configured, please return to part two).

Installing DVWA
I will be using root for this exercise. I want to make the application as vulnerable as possible and running as root will increase our chances for exploitation.

[root@localhost current_dir]# mv dvwa /var/www/html

Next, we need to issue the following command:

setsebool -P httpd_read_user_content 1

Now, in the web browser, navigate to your site's address / dvwa. You'll see the following error:
Click the link to setup your database. Click the "Create/Reset Database" button. If it was successful, you should see:

If you search in your mySQL database via command line or phpMyAdmin, you should now see a "dvwa" database.

Logging In
If you return to /dvwa in your browser, you'll be presented with a login screen. The default login is:
Username: admin
Password: password

Finishing Up
Now that DVWA is installed, we need to edit some configuration files so that it can be as insecure as possible. PHP version 5.2.6+ will prevent most mySQL injection attacks. So we need to change the configuration to allow them (most PHP websites are a version or so behind, so it is safe to assume that a majority of sites are still vulnerable, despite a newer version of PHP).

In the HTML directory of /var/www, type:

vim .htaccess

Then, type the following into the file:

magic_quotes_gpc = Off
allow_url_fopen = On
allow_url_include = On

Then save and exit.

Next in the Series
Next I will be using the DVWA setup to test some common vulnerabilities such as XSS and mySQL injection. Following that, I will be installing a web application firewall in front of the application to determine how such a configuration can help protect against exploitation.

1 comment:

  1. Nice, accurate and to the point. Not everyone can provide information with proper flow.